Abstract: A method to test an OS kernel interface, such as an eBPF helper function. The interface has a grammar that defines the kernel interface. Testing is carried out using eBPF code that invokes and tests the interface using a fuzzing engine. To facilitate the process, additional user space code is configured to generate at least one kernel event that triggers the eBPF code to run, and to transform inputs from the fuzzing engine according to the grammar that defines the kernel interface. After loading the eBPF code into the OS kernel, the user space code issues the kernel event that causes the eBPF code to run. In response, and as the fuzzing engine executes, the eBPF code records arguments sent to the OS kernel through the kernel interface. The arguments are passed through a data structure shared by the eBPF code and the user space code. By recording the arguments and other diagnostic information, the security of the kernel interface is evaluated.

Abstract: Methods and systems for assessing a software bill of materials (SBOM) include building a knowledge graph from repositories, using function fingerprints of software packages in the repositories. Dependencies of an application are identified using function fingerprints of the application and comparing to function fingerprints of the software packages. A quality score for an SBOM of the application is generated based on a comparison of the identified dependencies to claimed dependencies of the SBOM. An action is performed responsive to the quality score.

Abstract: A processor-implemented method generates adversarial example objects. One or more processors represent an adversarial input generation process as a graph. The processor(s) explore the graph, such that a sequence of edges on the graph are explored. The processor(s) create, based on the exploring, an adversarial example object, and utilize the created adversarial example object to harden an existing process model against vulnerabilities.

Abstract: Adaptive verifiable training enables the creation of machine learning models robust with respect to multiple robustness criteria. In general, such training exploits inherent inter-class similarities within input data and enforces multiple robustness criteria based on this information. In particular, the approach exploits pairwise class similarity and improves the performance of a robust model by relaxing robustness constraints for similar classes and increasing robustness constraints for dissimilar classes. Between similar classes, looser robustness criteria (i.e., smaller ?) are enforced so as to minimize possible overlap when estimating the robustness region during verification. Between dissimilar classes, stricter robustness regions (i.e., larger ?) are enforced. If pairwise class relationships are not available initially, preferably they are generated by receiving a pre-trained classifier and then applying a clustering algorithm (e.g., agglomerative clustering) to generate them.

Abstract: A method of designing an optical system including a dome light and coaxial light, includes: determining a distance between the dome light and the coaxial light based on a radius reduction according to a hole of the dome light; determining a size of the coaxial light based on an optical path of a light ray emitted from the coaxial light; and determining a structure of a printed circuit board (PCB) in the dome light based on an optical path through which the light ray emitted from the coaxial light is reflected by an object.

Abstract: Methods and systems for grayware analysis include running a software application in a sandbox. Activity information is collected from the software application that represents actions performed by the software application within an environment of the sandbox. The collected activity information is matched to a grayware activity description to identify the software application as performing a grayware activity. A corrective action is performed on the software application.

Abstract: A method, apparatus and computer program product to protect a deep neural network (DNN) having a plurality of layers including one or more intermediate layers. In this approach, a training data set is received. During training of the DNN using the received training data set, a representation of activations associated with an intermediate layer is recorded. For at least one or more of the representations, a separate classifier (model) is trained. The classifiers, collectively, are used to train an outlier detection model. Following training, the outliner detection model is used to detect an adversarial input on the deep neural network. The outlier detection model generates a prediction, and an indicator whether a given input is the adversarial input. According to a further aspect, an action is taken to protect a deployed system associated with the DNN in response to detection of the adversary input.

Abstract: Safety verification for reinforcement learning can include receiving a policy generated by deep reinforced learning, where the policy is used in acting in an environment having a set of states. Responsive to determining that the policy is a non-deterministic policy, the non-deterministic policy can be decomposed into a set of deterministic policies. Responsive to determining that a state-transition function associated with the set of states is unknown, the state-transition function can be approximated at least by training a deep neural network and transforming the deep neural network into a polynomial. Using a constraint solver the policy with the state-transition function can be verified. Runtime shielding can be performed.

Abstract: A method of designing an optical system including a dome light and coaxial light, includes: determining a distance between the dome light and the coaxial light based on a radius reduction according to a hole of the dome light; determining a size of the coaxial light based on an optical path of a light ray emitted from the coaxial light; and determining a structure of a printed circuit board (PCB) in the dome light based on an optical path through which the light ray emitted from the coaxial light is reflected by an object.

Abstract: A computer-implemented method according to one embodiment includes training a bidirectional encoder representations from transformers (BERT) model to generate a software representation. An intermediate representation (IR) of a software package is input to the trained BERT model, and a software representation corresponding to the software package is received as output from the trained BERT model. A computer program product according to another embodiment includes a computer readable storage medium having program instructions embodied therewith. The program instructions are readable and/or executable by a computer to cause the computer to perform the foregoing method. A system according to another embodiment includes a processor, and logic integrated with the processor, executable by the processor, or integrated with and executable by the processor. The logic is configured to perform the foregoing method.

Abstract: A method, system and apparatus for software intelligence as-a-service, including decomposing software into functional blocks to provide a software genome, building a representation of the software genome in a knowledge graph linking granularities of the functional blocks, and identifying issues with a target software based on the knowledge graph.

Abstract: A method to test an OS kernel interface, such as an eBPF helper function. The interface has a grammar that defines the kernel interface. Testing is carried out using eBPF code that invokes and tests the interface using a fuzzing engine. To facilitate the process, additional user space code is configured to generate at least one kernel event that triggers the eBPF code to run, and to transform inputs from the fuzzing engine according to the grammar that defines the kernel interface. After loading the eBPF code into the OS kernel, the user space code issues the kernel event that causes the eBPF code to run. In response, and as the fuzzing engine executes, the eBPF code records arguments sent to the OS kernel through the kernel interface. The arguments are passed through a data structure shared by the eBPF code and the user space code. By recording the arguments and other diagnostic information, the security of the kernel interface is evaluated.

Abstract: A cloud based implemented method (and apparatus) includes receiving input data including bipartite graph data in a format of source MAC (Media Access Control) address data versus destination IP (Internet Protocol) data and timestamp information, and providing the input bipartite graph data into a first processing to detect malicious beaconing activities using a lockstep detection module on the input bipartite graph data, as executed in a cloud environment, to detect possible synchronized attacks against a targeted infrastructure.

Abstract: A neural network is augmented to enhance robustness against adversarial attack. In this approach, a fully-connected additional layer is associated with a last layer of the neural network. The additional layer has a lower dimensionality than at least one or more intermediate layers. After sizing the additional layer appropriately, a vector bit encoding is applied. The encoding comprises an encoding vector for each output class. Preferably, the encoding is an n-hot encoding, wherein n represents a hyperparameter. The resulting neural network is then trained to encourage the network to associated features with each of the hot positions. In this manner, the network learns a reduced feature set representing those features that contain a high amount of information with respect to each output class, and/or to learn constraints between those features and the output classes. The trained neural network is used to perform a classification that is robust against adversarial examples.

Abstract: Program analysis is provided. An intermediate representation of a program is generated. A set of structured inputs is provided to the program. The set of structured inputs are derived from the intermediate representation. The program is executed using the set of structured inputs. A set of action steps is performed in response to observing a violation of a policy during execution of the program using the structured inputs.

Abstract: An automated technique for security monitoring leverages a labeled semi-directed temporal graph derived from system-generated events. The temporal graph is mined to derive process-centric subgraphs, with each subgraph consisting of events related to a process. The subgraphs are then processed to identify atomic operations shared by the processes, wherein an atomic operation comprises a sequence of system-generated events that provide an objective context of interest. The temporal graph is then reconstructed by substituting the identified atomic operations derived from the subgraphs for the edges in the original temporal graph, thereby generating a reconstructed temporal graph. Using graph embedding, the reconstructed graph is converted into a representation suitable for further machine learning, e.g., using a deep neural network. The network is then trained to learn the intention underlying the temporal graph.

Abstract: An automated method for processing security events. It begins by building an initial version of a knowledge graph based on security information received from structured data sources. Using entities identified in the initial version, additional security information is then received. The additional information is extracted from one or more unstructured data sources. The additional information includes text in which the entities (from the structured data sources) appear. The text is processed to extract relationships involving the entities (from the structured data sources) to generate entities and relationships extracted from the unstructured data sources. The initial version of the knowledge graph is then augmented with the entities and relationships extracted from the unstructured data sources to build a new version of the knowledge graph that consolidates the intelligence received from the structured data sources and the unstructured data sources. The new version is then used to process security event data.

Abstract: An approach for detection of malware is disclosed. The approach involves the use of using IR level analysis and embedding of canonical representation on a suspecting sample of software code. The approach can be applied to both malicious and benign software. Specifically, the approach includes converting a binary code to an IR (intermediate representation), canonicalizing the IR into a canonical IR, extracting one or more similarity representation based on the extracted features and comparing the one or more similarity representation to known malware.

Abstract: An intrusion detection system (IDS) for a micro-services environment identifies attacks in substantially real-time and at a container-level. In this approach, behavior models are generated from container images using a binary analysis. A behavior model is a graph data structure having nodes and edges, wherein an edge represents a system call made by at least one process represented as a node in the graph data structure. The model is co-located with a running container, thereby enabling detection of anomalies as the container executes in a container environment on a hardware node. A per-container IDS function is instantiated by checking whether system call telemetry generated by an image's running container satisfies the associated behavior model that has been generated for the container image. If the telemetry indicates activity that deviates from the behavior model, an automated action is then initiated to attempt to address the attack, preferably while it is in progress.

Abstract: An encoder includes a computer readable storage medium storing program instructions, and a processor executing the program instructions, the processor configured to generate a key, estimate a network capacity, and encode each bit of the key using a random matrix of a selected rank and the estimated network capacity for secure transmission of the key through a network.